PS3 [Update] 4.84.1 STARBUGED CFW + (Includes NEW COBRA 8.00 / .01 payload) by habib

The 4.84 Custom Firmware landscape for the PS3 is certainly taken shape here in the last few days as we have seen multiple developer's rejoice and not only update things but progressing the PS3 scene as well. We seen Team Rebug drop 4.84 REBUG LITE edition & 4.84 FERROX Cobra cfw's that had the Cobra v7.55 payload, but as Team Rebug member @Joonie was finishing up the Rebug Lite release/testing and was about about to release, developer @habib (another team rebug member) was working on advancing the Cobra payload with some new features that would mature the payload to Cobra v8.00 (updated v8.01 see below) and in this 4.84 STARBUGED COBRA (v8.00) CFW. This blend of Starbucks + Rebug = Starbuged and not only does this CFW come equipped with the new Cobra v8.00 features but also contains all the feature that REBUG Lite edition contains as well.

The Cobra v8.00 payload see's a few changes highlighted by the ability to run a payload with kernel privileges in a way like those familiar with the PS Vita scene see with skprx, same concept but now with the PS3. Currently only a single payload is supported at a time but habib says he may increase this into the future. Also v8.00 should improve boot time dramatically according the developer as there is no longer a Stage 1 at boot up, Also note that this CFW has Cobra enabled by default (in contrast to rebug lite, needs to be turned on). Additional details about this CFW release can be seen below.
​

-STLcardsWS​

( logo by @solomanDK )

Checkout other 4.84 related releases in this thread here​

Release TOOLBOX + COBRA V8.00

• 
  
  4.84.1 Starbuged + Cobra v8.00 CFW
  Starbuged = Starbucks Release + Rebug Seasoning​
  
  FEATURES: (Contains Rebug Lite + Cobra v8.00 features)
  
  • FEATURE – COBRA 8.00 (Enabled by default)
    • Background running plugins at boot time (sprx)
      
    • ISO Support: PS1/PS2/PS3/PSP/DVD/BluRay (Split ISO support on FAT32 drives)
      
    • Network Support: PS1/PS3/DVD/BluRay /PKGs
      
    • Blu Ray Movie region free functionality NTFS HDD Support (prepNTFS, or multiMAN Required to scan contents)
      
    • PS2 ISO Support for BC (HW) / non-BC (SW) Consoles
      
    • Syscall 11 – Cobra lv1 Peek
      
    • Syscall 15 – Allow execution of any LV2 internal function
      
    • PSNPatch stealth plugin support
      • ***ISO rips are required to get 100% support, for ex) after disabling syscalls, games like Call of Duty will not be able to play unless you use ISO rips, please DO NOT expect everything to be fully functional when you are disabling the built-in features from COBRA. Folder rips are NOT compatible with PSNPatch's stealth mode due to its ability to disable COBRA's disc-less feature for folder JB rips****
    • PS3MAPI support, allows you to attach process on both CEX/DEX via its own API app.
      
    • Backup Protection Removal, Add full PS3 Backup support on all multiMAN/sMAN/webMAN,IRIS manager forks and Managunz.
      
    • Allow modification on Syscall 6/7/8/9/10/11/15.
      
    • Burned/Burnt optical media support for PS1/PS3 Games on All models
      
    • Homebrew blocker – blocks homebrew access while Syscalls are disabled
      
    • New in v8.00 Run payload with Kernel privileges - Added option to run payload with kernel privileges like ps vita skprx. this is a big thing! one can make hooks, printf to socat, do whatever they feel like they need to do. at the current time only one payload is supported at a time. in the future i might increase this
      
    • New in v8.00 Boot times speed improved - as there is no stage1.
      
    • New in v8.00 PS2 bc and semi bc consoles wont load iso when cobra disabled - disable cobra using opcode)
  • FEATURE – Full Polish support for XMB/PS2 Emu (Provide full Polish character support)
  • FEATURE – Cinavia protection fully disabled (Supports optical media/bd iso, AACS must be decrypted)
  • FEATURE – Homebrew store compatibility (Downloading debug signed packages is now available on retail CFW.)
  • FEATURE – PSN/SEN Accessibility (PSN /SEN Accessible , until the next OFW update)
  • FEATURE – XMBM+ Compatibility (XMB Manager Plus developed by Team XMBM now supported via standalone pkgs.)
  • FEATURE – HAN Toolbox Compatibility (HAN Toolbox Support added for testing HAN Signed pkgs on CFW)
  • FEATURE – Enhanced Remote Play (This unlocks the limitation of working apps/games for remote play, by disabling SFO flag check)
  • FEATURE – In Game Screenshot (Allows taking screenshots in Game
  • FEATURE – QA Token compatibility
  • FEATURE – OtherOS++ support enabled (Use Rebug Toolbox to Boot OtherOS with different LV1 patches)
  • FEATURE – Package Manager (Replacement for the standard 'Install Package Files' option)
  • FEATURE – FSELF compatibility (Fake Signed ELF is supported)
  • FEATURE (Optional) Toolbox 02.03.00
    • TOGGLE XMB CFW SETTINGS Enable or Disable mysis's XMB CFW settings plugin v0.1. The feature is available via Network Column on XMB after Enabled.
      
    • TOGGLE COBRA MODE: COBRA mode ACTIVE by default, this option can toggle COBRA mode to enable COBRA 8.00 payload on boot
      
    • TOGGLE QA: Enable/Disable QA flag. Enable for easy downgrade and other extra features on all 3.55-4.84 CFW.
      
    • TOGGLE RECOVERY MODE: Enable/Disable Recover Mode flag. When enabled your PS3 will reboot into Recovery Mode.
      
    • LOAD LV2 KERNEL: Load lv2_kernel.self.[KERNEL_NAME] from USB or /dev_hdd0
      
    • BACKUP/RESTORE XREGISTRY: Backup or Restore the PS3 system settings from USB
      
    • RESIZE VFLASH/NAND REGIONS: Resize VFLASH/NAND Region 5 to allow install of OtherOS.
      
    • INSTALL PETITBOOT: Install Petitboot to VFLASH/NAND Region 5 from USB.
      
    • SET GAMEOS BOOT FLAG: Sets the GameOS boot flag. Use this if your PS3 is having trouble booting PS2 titles after running OtherOS or is accidentally sending you back to OtherOS when trying to enter recovery mode.
      
    • CREATE PACKAGES FOLDER ON PS3: Create /dev_hdd0/packages folder or your PS3 to be used with Package Manager.
      
    • EXPORT HYPERVISOR LV1 MEMORY: Save LV1 memory to dev_usb000 or dev_usb006 or dev_hdd0 if usb is not found.
      
    • EXPORT GAMEOS LV2 MEMORY: Save LV2 memory to dev_usb000 or dev_usb006 or dev_hdd0 if usb is not found.
      
    • EXPORT FLASH TO FILE: Backup your current NOR/NAND to file on dev_usb000. Takes about 45secs for NAND
      
    • DUMP EID ROOT KEY: Dump your eid root key.
  • FEATURE – XMB CFW settings v0.1a (Optional)
    • XMB Icons for various CFW tasks, available in Network Column (on XMB) Simply select and the task is executed!
      
    • Settings – Toggle COBRA
      
    • Dump Tools – Klicense, File Secure ID, IDPS, Disc Hash keyService Tools – Display Minimum Downgrade FW Version, Rebuild Database, Check File System, Entering Recovery Mode (NOR Models Only)
      
    • Advanced Service Tools – Entering FSM (!!!DO NOT Install FW while on FSM that may lead RSOD!!!), Remarry BD drive and RSOD fix
  • PATCHED – Appldr: LV2 memory hash check is disabled (Memory protection on LV2 is disabled in higher level)
  • PATCHED – LV1: Disable System Integrity Check (Safe to use with mismatched COREOS/SYSCON versions or if PS3 is not QA enabled)
  • PATCHED – LV1: Undocumented function 114 (Allow mapping of protected memory)
  • PATCHED – LV1: Skip all ACL Checks (Needed to allow booting of OtherOS)
  • PATCHED – LV1: Peek and Poke support (Unused LV1 call 182 and 183)
  • PATCHED – LV2: Peek and Poke support (LV2 Syscall 6 and 7)
  • PATCHED – LV2: Peek and Poke support for LV1 (LV2 Syscall 8 and 9)
  • PATCHED – LV2: LV1 CALL System call (LV2 Syscall 10)
  • PATCHED – LV2: Allow execution of any LV2 internal function (LV2 Syscall 15)
  • PATCHED – Recovery: Prevent accidental OFW update while on Recovery mode
  • PATCHED – VSH: Allow Unsigned act.dat and *.rif files
  • PATCHED – VSH: Disable NEW PSP DRM Check (Allowing unsigned PSP pkg contents on 4.75 or higher CFW)
  • PATCHED – VSH: Disable Epilepsy Warning for Faster Boot-Up Speed
• 
  TOOLBOX 02.03.00 Changes
  
  • 1.Added option to load a payload in kernel, with toolchain provided! its like ps3 got skprx thing going on now
  • 2.Cobra disables support 8.00 standard for which ps2 semi bc and bc wont load iso on cobra off instead of optical media
  
  Cobra 8.00 (changes from v7.55) - Released 3-3-19
  
  1.Added option to run payload with kernel privileges like ps vita skprx. this is a big thing! one can make hooks, printf to socat, do whatever they feel like they need to do. at the current time only one payload is supported at a time. in the future i might increase this
  

  #define SYSCALL8_OPCODE_DISABLE_COBRA_STAGE 0x6A13
  #define SYSCALL8_OPCODE_RUN_PAYLOAD 0x6CDF
  
  static int run_payload(uint8_t *payload, int size)
  {
  system_call_3(8, SYSCALL8_OPCODE_RUN_PAYLOAD, (uint64_t)payload, size);
  return (int)p1;
  }
  
  static int disable_cobra()
  {
  system_call_1(8, SYSCALL8_OPCODE_DISABLE_COBRA_STAGE);
  return (int)p1;
  }

  2.Boot times are VASTLY improved there is no stage1.
  3.PS2 bc and semi bc consoles wont load iso when cobra disabled(disable cobra using opcode)
  4.Enabled cobra by default cause even rebug NEED cobra enable first boot to initialize 100%​
  
  UPDATE (3-3-2019)
  
  • COBRA v8.01 Released (See bottom of article for details)
  
  

UPDATE COBRA v8.01 Released (via habib)

COBRA 8.01: small version increment, massive overhaul

• Added support for dynamic memory payloads, 5 of them can be started from "/dev_hdd0/boot_plugins_kernel.txt"
• toolchain updated to support dynamic address loading.
• For applications, you can also mount em, and unmount em separately

https://mega.nz/#!zkZzUIQY!TJP8KTS940I70JHU_QB7vUyHmNVoqJpRKJcEGHeQpZ0
this poc will read payload.bin from usb000, execute it and write memory residence location in file in hdd0/residence and then unloads the plugin.​

alternatively you can copy payload.bin and boot_plugins_kernel.txt in hdd0, restart and voila!

this is true dynamic loading, just like prx!
src of payload.bin is included with the cfw download

ofcourse safety features are included, plugins wont load till vsh appear, you can go to recovery mode, rebuild database to remove the boot_plugins_kernel.txt

in a program, with residence memory location acquired, one can send arguments to the payload using syscall 15

4.84.2:
https://mega.nz/#!W9YHSIaC!FwBy0Q8t4Rv1AsqhciDyuCDfQNojqQgDRjta6vV5vew

#define SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC 0x6CE1
#define SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC 0x6CE3
int plugin_kernel_dynamic(uint8_t *payload, int size, uint64_t *residence)
{
lv2syscall4(8, SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC, (uint64_t)payload, size, (uint64_t)residence);
return_to_user_prog(uint32_t);
}
int plugin_kernel_dynamic_unload(uint64_t residence)
{
lv2syscall2(8, SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC, residence);
return_to_user_prog(uint32_t);
}
int main()
{
sysFSStat stat;
int fd;
uint64_t nread;
sysLv2FsStat("/dev_usb000/payload.bin", &stat);
uint64_t size=stat.st_size;
uint8_t *buf=(uint8_t *)malloc(size);
sysFsOpen("/dev_usb000/payload.bin", SYS_O_RDONLY, &fd, NULL, 0);
sysFsRead(fd, buf, size, &nread);
sysFsClose(fd);
uint64_t residence;
plugin_kernel_dynamic(buf,size,&residence);
FILE *fp=fopen("/dev_hdd0/residence","wb");
fwrite(&residence,8,1,fp);
fclose(fp);
plugin_kernel_dynamic_unload(residence);
return 0;
}

DOWNLOAD AIO:
4.84.2 STARBUGED + COBRA v8.01​

 

Just noticed the quicker boot. Nice.

Can you give us some examples of what is possible with this new payload function, I don't really understand it.. Is there a noob friendly version

Does it mean it will basically allow custom patches to Cobra(?) RAM(?) on the fly read from USB? And can they be triggered anytime or is it just read at boot?

You can for example hook some lv2 function from that kind of payload, etc.
Is like suprx, and skprx in vita. suprx was already there, now we have skprx.

 

Just noticed the quicker boot. Nice.

Can you give us some examples of what is possible with this new payload function, I don't really understand it.. Is there a noob friendly version

Does it mean it will basically allow custom patches to Cobra(?) RAM(?) on the fly read from USB? And can they be triggered anytime or is it just read at boot?

with the toolchain already provided, you can access lv1 calls in the payload, hook on the kernel functions, make conditions and the likes. think of ps vita skprx TAIHOOK this is what it does. use internal functions to control the kernel. run arbitary code in kernel. i made it easy, you can code in c, i built asm part already so its very easy for any of you to code. you can also release the hooks and run another payload for example to change kernel conditions. check test_payload in the src, thats the dev environment. any questions, feel free to ask.

oh and they can be recalled with syscall 15 WITH ACTUAL ARGUMENTS!
0x80000000007f0000
this address is where the payload will reside. so yes you can indeed recall with arguments as well

example payload:
https://www.sendspace.com/file/6jt72g
will write usb000/test_payload_in with 4 bytes. nothing special but shows potential, internal libraries used with c

 

Can you add the disable cobra opcode?
It's a feature set of 8.00 allowing proper disabling for ps2 bc and semi bc

Maybe later when more CFW adopt cobra 8.0... wMM requires Cobra for most of its features.
Anyway Cobra is "disabled" when the syscalls are removed, and that feature works for all CFW.

If you want to implement it into wMM, I could include your code in the next update.

 

Maybe later when more CFW adopt cobra 8.0... wMM requires Cobra for most of its features.
Anyway Cobra is "disabled" when the syscalls are removed, and that feature works for all CFW.

you can add cobra version check. cause if you simply rename stage2, semi-bc bc ps2 emus will load iso

 

You can for example hook some lv2 function from that kind of payload, etc.
Is like suprx, and skprx in vita. suprx was already there, now we have skprx.

@habib Would that new payload function with kernel privileges allow to set fan speed as a cobra opcode or let some services (ftp, fan control, netiso) stay running when a PS2 game is loaded?

 

@habib Would that new payload function with kernel privileges allow to set fan speed as a cobra opcode or lep some services (ftp, fan control, netiso) stay running when a PS2 game is loaded?

I doubt it since it's running its own LV2 (PS2EMU) and the payload would be gone when PS3 LV2 unloads.

 

I doubt it since it's running its own LV2 (PS2EMU) and the payload would be gone when PS3 LV2 unloads.

I got fan control payload for ps2_netemu from picard, just require more work. Basically is not working as is, but is good example how to start doing it.

Edit: I think only reading fan speed work for now.

 

I got fan control payload for ps2_netemu from picard, just require more work. Basically is not working as is, but is good example how to start doing it.

Edit: I think only reading fan speed work for now.

It's a good start I'm basically interested in a way to set the fan speed, even if wMM is not loaded. If with Cobra is not possible, maybe integrating sys_init_osd.self + sm.self by MLT + Estwald as a standard service. That is a really nice method to load payloads almost ignored lately.

 

You can find payloads for reading fan speed, lv1 poke, dumping memory, etc. in picard database for ps2_netemu. I can share it in private if anyone want it (it was released public, just links are dead). Small example:

0x290500 # =============== S U B R O U T I N E =======================================
0x290500
0x290500 # r3 = sys_info,
0x290500 # r4 = u8 id,
0x290500 # r5 = u8 *out_st,
0x290500 # r6 = u8 *out_mode,
0x290500 # r7 = u8 *out_speed,
0x290500 # r8 = u8 *out_4,
0x290500
0x290500 sm_get_fan_policy:                      # CODE XREF: sub_290670+4C↓p
0x290500
0x290500 .set var_30, -0x30
0x290500 .set var_28, -0x28
0x290500 .set var_20, -0x20
0x290500 .set var_18, -0x18
0x290500 .set var_10, -0x10
0x290500 .set var_8, -8
0x290500 .set arg_10,  0x10
0x290500
0x290500                 stdu      r1, -0xA0(r1)
0x290504                 mflr      r0
0x290508                 std       r0, 0xA0+arg_10(r1)
0x29050C                 std       r26, 0xA0+var_30(r1)
0x290510                 std       r27, 0xA0+var_28(r1)
0x290514                 std       r28, 0xA0+var_20(r1)
0x290518                 std       r29, 0xA0+var_18(r1)
0x29051C                 std       r30, 0xA0+var_10(r1)
0x290520                 std       r31, 0xA0+var_8(r1)
0x290524                 mr        r26, r8
0x290528                 mr        r27, r7
0x29052C                 mr        r28, r6
0x290530                 mr        r29, r5
0x290534                 mr        r30, r3
0x290538                 addi      r31, r3, 0x2980 # *tx_hdr,  0xB48A80
0x29053C                 clrldi    r8, r31, 32
0x290540                 lbz       r10, 0(r31)   # load *tx_hdr.status
0x290544                 cmpwi     cr7, r10, 0
0x290548                 bne       cr7, loc_29064C # branch if tx_hdr.status != 0, panic
0x29054C                 li        r11, 1
0x290550                 stb       r11, 0(r31)
0x290554                 li        r0, 0x10
0x290558                 li        r9, 8
0x29055C                 stb       r0, 1(r31)
0x290560                 stw       r9, 4(r31)
0x290564                 li        r0, 50        # service_id = 50(get fan policy)
0x290568                 li        r9, 0
0x29056C                 sth       r0, 8(r31)
0x290570                 sth       r9, 0xA(r31)
0x290574                 stw       r10, 0xC(r31)
0x290578                 sth       r10, 2(r31)
0x29057C                 addi      r9, r3, 0x2990 # 0xB48A90
0x290580                 li        r3, 0
0x290584                 std       r3, 0(r9)
0x290588                 stb       r4, 1(r9)     # set tx_payload_01 to id
0x29058C                 stb       r11, 0(r9)    # set tx_payload_00 to 1
0x290590                 lbz       r0, 0(r31)
0x290594                 cmpwi     cr7, r0, 0
0x290598                 beq       cr7, loc_29064C
0x29059C                 mr        r4, r8
0x2905A0                 li        r3, 2
0x2905A4                 li        r5, 0x18
0x2905A8                 bl        vuart_write   # (2, *tx_hdr, 0x18);  // service_id, 50(get fan policy)
0x2905AC                 lbz       r0, 0(r31)
0x2905B0                 cmpwi     cr7, r0, 0
0x2905B4                 beq       cr7, loc_290604
0x2905B8
0x2905B8 loc_2905B8:                             # CODE XREF: sm_get_fan_policy+100↓j
0x2905B8                 mr        r31, r31
0x2905BC                 mr        r31, r31
0x2905C0                 mr        r31, r31
0x2905C4                 mr        r31, r31
0x2905C8                 mr        r31, r31
0x2905CC                 mr        r31, r31
0x2905D0                 mr        r31, r31
0x2905D4                 mr        r31, r31
0x2905D8                 mr        r31, r31
0x2905DC                 mr        r31, r31
0x2905E0                 mr        r31, r31
0x2905E4                 mr        r31, r31
0x2905E8                 mr        r31, r31
0x2905EC                 mr        r31, r31
0x2905F0                 mr        r31, r31
0x2905F4                 mr        r31, r31
0x2905F8                 lbz       r0, 0(r31)
0x2905FC                 cmpwi     cr7, r0, 0
0x290600                 bne       cr7, loc_2905B8
0x290604
0x290604 loc_290604:                             # CODE XREF: sm_get_fan_policy+B4↑j
0x290604                 lbz       r0, 0x3191(r30)
0x290608                 lbz       r10, 0x3194(r30)
0x29060C                 lbz       r9, 0x3192(r30)
0x290610                 lbz       r11, 0x3193(r30)
0x290614                 stb       r0, 0(r26)    # out_4
0x290618                 stb       r9, 0(r29)    # st
0x29061C                 stb       r11, 0(r28)   # mode
0x290620                 stb       r10, 0(r27)   # speed
0x290624                 ld        r0, 0xA0+arg_10(r1)
0x290628                 ld        r26, 0xA0+var_30(r1)
0x29062C                 ld        r27, 0xA0+var_28(r1)
0x290630                 mtlr      r0
0x290634                 ld        r28, 0xA0+var_20(r1)
0x290638                 ld        r29, 0xA0+var_18(r1)
0x29063C                 ld        r30, 0xA0+var_10(r1)
0x290640                 ld        r31, 0xA0+var_8(r1)
0x290644                 addi      r1, r1, 0xA0
0x290648                 blr
0x29064C # ---------------------------------------------------------------------------
0x29064C
0x29064C loc_29064C:                             # CODE XREF: sm_get_fan_policy+48↑j
0x29064C                                         # sm_get_fan_policy+98↑j
0x29064C                 li        r3, 1
0x290650                 bl        panic
0x290654                 nop
0x290654 # End of function sm_get_fan_policy
0x290654
0x290654 # ---------------------------------------------------------------------------

 

Just Updated from 4.84 Ferrox, just awesome that Rebug is back finally!

 

COBRA 8.01:
small version increment, massive overhaul

added support for dynamic memory payloads, 5 of them can be started from "/dev_hdd0/boot_plugins_kernel.txt"
toolchain updated to support dynamic address loading.

for applications, you can also mount em, and unmount em separately
https://mega.nz/#!zkZzUIQY!TJP8KTS940I70JHU_QB7vUyHmNVoqJpRKJcEGHeQpZ0

this poc will read payload.bin from usb000, execute it and write memory residence location in file in hdd0/residence and then unloads the plugin.

alternatively you can copy payload.bin and boot_plugins_kernel.txt in hdd0, restart and voila!

this is true dynamic loading, just like prx!
src of payload.bin is included with the cfw download

ofcourse safety features are included, plugins wont load till vsh appear, you can go to recovery mode, rebuild database to remove the boot_plugins_kernel.txt

in a program, with residence memory location acquired, one can send arguments to the payload using syscall 15

4.84.2:
https://mega.nz/#!W9YHSIaC!FwBy0Q8t4Rv1AsqhciDyuCDfQNojqQgDRjta6vV5vew

#define SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC 0x6CE1
#define SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC 0x6CE3
int plugin_kernel_dynamic(uint8_t *payload, int size, uint64_t *residence)
{
lv2syscall4(8, SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC, (uint64_t)payload, size, (uint64_t)residence);
return_to_user_prog(uint32_t);
}
int plugin_kernel_dynamic_unload(uint64_t residence)
{
lv2syscall2(8, SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC, residence);
return_to_user_prog(uint32_t);
}
int main()
{
sysFSStat stat;
int fd;
uint64_t nread;
sysLv2FsStat("/dev_usb000/payload.bin", &stat);
uint64_t size=stat.st_size;
uint8_t *buf=(uint8_t *)malloc(size);
sysFsOpen("/dev_usb000/payload.bin", SYS_O_RDONLY, &fd, NULL, 0);
sysFsRead(fd, buf, size, &nread);
sysFsClose(fd);
uint64_t residence;
plugin_kernel_dynamic(buf,size,&residence);
FILE *fp=fopen("/dev_hdd0/residence","wb");
fwrite(&residence,8,1,fp);
fclose(fp);
plugin_kernel_dynamic_unload(residence);
return 0;
}

 

COBRA 8.01:
small version increment, massive overhaul

added support for dynamic memory payloads, 5 of them can be started from "/dev_hdd0/boot_plugins_kernel.txt"
toolchain updated to support dynamic address loading.

for applications, you can also mount em, and unmount em separately
https://mega.nz/#!zkZzUIQY!TJP8KTS940I70JHU_QB7vUyHmNVoqJpRKJcEGHeQpZ0

this poc will read payload.bin from usb000, execute it and write memory residence location in file in hdd0/residence and then unloads the plugin.

alternatively you can copy payload.bin and boot_plugins_kernel.txt in hdd0, restart and voila!

this is true dynamic loading, just like prx!
src of payload.bin is included with the cfw download

ofcourse safety features are included, plugins wont load till vsh appear, you can go to recovery mode, rebuild database to remove the boot_plugins_kernel.txt

in a program, with residence memory location acquired, one can send arguments to the payload using syscall 15

4.84.2:
https://mega.nz/#!W9YHSIaC!FwBy0Q8t4Rv1AsqhciDyuCDfQNojqQgDRjta6vV5vew

#define SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC 0x6CE1
#define SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC 0x6CE3
int plugin_kernel_dynamic(uint8_t *payload, int size, uint64_t *residence)
{
lv2syscall4(8, SYSCALL8_OPCODE_RUN_PAYLOAD_DYNAMIC, (uint64_t)payload, size, (uint64_t)residence);
return_to_user_prog(uint32_t);
}
int plugin_kernel_dynamic_unload(uint64_t residence)
{
lv2syscall2(8, SYSCALL8_OPCODE_UNLOAD_PAYLOAD_DYNAMIC, residence);
return_to_user_prog(uint32_t);
}
int main()
{
sysFSStat stat;
int fd;
uint64_t nread;
sysLv2FsStat("/dev_usb000/payload.bin", &stat);
uint64_t size=stat.st_size;
uint8_t *buf=(uint8_t *)malloc(size);
sysFsOpen("/dev_usb000/payload.bin", SYS_O_RDONLY, &fd, NULL, 0);
sysFsRead(fd, buf, size, &nread);
sysFsClose(fd);
uint64_t residence;
plugin_kernel_dynamic(buf,size,&residence);
FILE *fp=fopen("/dev_hdd0/residence","wb");
fwrite(&residence,8,1,fp);
fclose(fp);
plugin_kernel_dynamic_unload(residence);
return 0;
}

Added in OP

 

Added in OP

4.84.2 STARBUGED + COBRA v8.00
This doesn't make sense does it?
Thanks for posting the article!

 

4.84.2 STARBUGED + COBRA v8.00
This doesn't make sense does it?
Thanks for posting the article!

Thanks for your work Habib! Please tell does vanilla webman http://deanbg.com/webMAN_1.47.zip work on this CFW ?

 

Hooray, so long waiting for habib firmware is over. almost installed rebug yesterday

 

Thanks for your work Habib! Please tell does vanilla webman http://deanbg.com/webMAN_1.47.zip work on this CFW ?

I would say you will have to test that one out yourself, If you do try it let us know. TBH I doubt habib has been testing old plugins like that.

Note: webman mod is now on 1.49.10 out which is updated with full 4.84 CFW support.

 

What about QA flags? firmware won't install via recovery even over itself

 

What about QA flags? firmware won't install via recovery even over itself

What error are you getting?

When trying to update from recovery over itself i get 8002F325 error "the data is corrupted" , this is a known CFW bug that shows up for (some?) people, the solution is to either update via XMB, or use another CFW as a bridge (eg. Ferrox 4.84) if you are stuck in recovery for some reason, for example if youve swapped HDD.

I have installed it over itself from the XMB already no problem. (updated from dev_hdd0/updater/ as System Update Debug is enabled)

If you dont have System Update Debug enabled it might not install over itself from XMB, as it will say you are already up to date, To enable it, Make sure you are QA flagged, then input the button combo to show debug settings, then enable "System Update Debug" , then you can install pups from dev_hdd0/updater/01/ , and it will let you install same version from XMB.

 

4.84.2 STARBUGED + COBRA v8.00
This doesn't make sense does it?
Thanks for posting the article!

Do i use this or 4.84.1+ Cobra v8.1??

 

4.84.2 STARBUGED + COBRA v8.00
This doesn't make sense does it?
Thanks for posting the article!

Now is correct?